Forensic Analysis and Security
As IoT gains momentum among consumers, you need to know what the implications are for government security
- By Christa Miller
- May 01, 2018
Connected or smart devices in or on buildings, vehicles,
and even people include software, mobile apps, sensors,
and network connectivity used to collect and exchange
data. They are also all part of the Internet of Things (IoT).
The point: to remotely monitor and manipulate these devices, as well
as evaluate trends in their use.
IoT devices include medical equipment, such as heart monitoring
implants and biochip transponders; wearables, such as the Apple
Watch and FitBit; building automation, such as lighting and thermostats;
vehicle infotainment and assistance systems, as well as driverless
vehicles; and appliances including ovens, refrigerators, washers
and dryers.
When it comes to securing government facilities, operations, and
personnel, IoT presents a considerable challenge, not just from individuals
who use it for everyday life and work, but also internally, as
more contractors and agencies implement it for business and facilities
operations.
The Risks of IoT in Government Facilities
“Shadow IT” and rogue devices, whether connected to a network
port or to a facility’s Wi-Fi, have been a risk for the better part of
a generation. Many are designed to make work more convenient;
some are intentionally malicious. To that end, most corporate security
experts are familiar with unauthorized access points such as an
employee’s device used as a personal wireless access point, or ad hoc
peer-to-peer connections.
Finding them as part of a robust intrusion detection protocol is
no longer as easy as performing a port scan or interrogating a router for hardware addresses. With IoT devices in
the mix, “rogue” takes on a whole new meaning.
Their presence may not originate with
employees, and because the sensors and data
sources used to connect devices may themselves
be “rogue.”
A vulnerable, unpatched thermostat, refrigerator
or dishwasher in the staff kitchen,
or smoke detector in an otherwise hardened
building, could become part of a global botnet
like Mirai, and be used to attack other
systems, even other governments.
Any device that uses voice commands
to operate must, as TripWire’s Leslie Sloan
wrote in 2016, always be listening “and sending
that captured data back to its controlling
server.” People discussing sensitive data
related to government operations must take
extra care around these devices. Finally, personal
wearable devices such as fitness bands
or even surgical implants may interact in unintended
ways with facility networks.
Securing—and Investigating—
the Network
A “simple IoT architecture,” Shawn Wasserman
wrote in 2016, “includes devices within
a firewall, wireless devices outside the firewall
and having those devices connecting
into the IoT platform. Then, all of this will
be used in an application that will use the
data from the devices to perform a function.
All these systems, applications, and development
tools used to make the system must be
made secure.
“The issue is that because all of these
different systems are under the control of
various organizations on the vendor, customer,
and public levels, it can be confusing
to establish who is really responsible for all
of this IoT security.” In addition, IoT comes
into play when employees or contractors
work from home.
Reflecting that “network administrators
need to know exactly what is in the environment,
or the network—including when an
adversary has switched out one device for
another,” government R&D nonprofit MITRE
issued a challenge in late 2016 to build
“a unique identifier or fingerprint to enable
administrators to enumerate the IoT devices
while passively observing the network.” (A
Georgia-based team won.)
Such proactive measures, however, must
be backed up by strong investigative processes
when a reactive, post-breach stance
is needed. In other words, IT security staffs
need to know how to obtain forensic data
from IoT devices, as they would for any suspect
mobile device or laptop.
Where Can Forensic
Data Come From?
Where IoT data is stored isn’t as simple as
imagining a FitBit, Nest, or Echo Dot as if it
were a computer or smartphone. The amount
of data stored on these devices may be comparable
to a vehicle or aircraft digital or event
data recorder, storing only a limited amount
of history. For example, the Amazon Echo
and Echo Dot only store less than the last 60
seconds of recorded sound in their local storage
buffers.
The bulk of telemetry and other usage
data is instead likely to be accessible from a
paired, “controller” smartphone, or from the
user’s account in the cloud. In addition, services
such as OnStar, available with GM Fleet
connected vehicles, can generate data with
forensic value associated with automated
collision response, stolen vehicle assistance,
Wi-Fi hotspots, and turn-by-turn directions
among other services.
OnStar Wi-Fi hotspots and direction
guidance can provide location related information,
including destinations, while time
stamps provide time-related context as well
as putting the user in a location at a particular
time. Timing also comes into play with
remote commands. Time- and location-related
“patterns of life” in a work context can
show both expected and unexpected travel
activities.
The proliferation of IoT devices, needless
to say, demands continued research—
a cooperative effort, wrote Wasserman, on
the part of security and engineering experts
together. Researchers need to examine
more closely whether and how much data
is stored on devices, including becoming
trained and equipped to remove memory
chips if needed to collect the data via JTAG
or chip-off processes.
Investigators also need the software to recover
data from the cloud, bearing in mind
that it’s another data source for a corporate
investigation as encryption on smartphones
and computers becomes more prevalent.
Finally, careful coordination with human
resources and legal teams is important when
it comes to the impact of personal employee
devices on a government network. Most employees
understand that they have less of an
expectation of privacy while at work, using
work resources—whether a device or a network—
to complete tasks.
However, when it comes to wearable
devices like FitBit, employers may need to
tread more carefully. Employees’ personal
health information (PHI) including heart
rate, physical activity, and sleep patterns are
accessible from their devices. The data has
proven useful in criminal cases, including
rape and homicide allegations, but may be of
less value in internal investigations.
IoT can be valuable for individuals, businesses,
and governments alike, but its risks
must be carefully understood and proactively
managed. This includes knowing how
to conduct investigations on the devices, the
cloud servers that store their data, and the
smartphones that control them—for both research
and investigative purposes.
This article originally appeared in the May 2018 issue of Security Today.